Are there single sign-on options for Accumulo (like SAML or CAS or
something else)?
I'm interested in using Accumulo's cell-level security behind a web
service.  The web service would require authentication that I would like to
pass on to Accumulo.  This would allow Accumulo to handle the filtering of
requests results based on the users authorization, instead of the web
service having to do it.  Is this possible?

Thanks,
Thorton

Accumulo 1.4 handles all of it's security internally, so you can't rely on
an external service for managing the user space. However, you can have a
web service which handles passing accumulo credentials down into the system
so you don't have to worry about the web service doing anything too
elaborate.

Accumulo 1.5 is slated to have a pluggable security structure, which will
support a variety of SSO mechanisms.

John
On Tue, Dec 4, 2012 at 10:26 AM, Thorton Timms <[EMAIL PROTECTED]>wrote:

> Are there single sign-on options for Accumulo (like SAML or CAS or
> something else)?
> I'm interested in using Accumulo's cell-level security behind a web
> service.  The web service would require authentication that I would like to
> pass on to Accumulo.  This would allow Accumulo to handle the filtering of
> requests results based on the users authorization, instead of the web
> service having to do it.  Is this possible?
>
> Thanks,
> Thorton
>
>

Just to clarify, the suggestions is that after a user authenticates to a
web service, that web service identifies the authorization of the user and
the web service passes credientials of the appropriate level to
Accumulo.  Correct? The web service acts like a broker of authorization?

There are many potential uses for a cell based security database.  One use
is in securing DoD data of different security classifications (hence part
of the reason for NSA involvement in the Accumulo project).  However, I
don't think the above method of user authorization would pass DoD
accredidation.  At least, it would be very difficult to get accredited.
Has the web service authentication broker method ever been used in a system
that has been accredited?

When will Accumulo 1.5 be released?

Thanks,
Thorton
On Tue, Dec 4, 2012 at 8:42 AM, John Vines <[EMAIL PROTECTED]> wrote:

> Accumulo 1.4 handles all of it's security internally, so you can't rely on
> an external service for managing the user space. However, you can have a
> web service which handles passing accumulo credentials down into the system
> so you don't have to worry about the web service doing anything too
> elaborate.
>
> Accumulo 1.5 is slated to have a pluggable security structure, which will
> support a variety of SSO mechanisms.
>
> John
>
>
> On Tue, Dec 4, 2012 at 10:26 AM, Thorton Timms <[EMAIL PROTECTED]>wrote:
>
>> Are there single sign-on options for Accumulo (like SAML or CAS or
>> something else)?
>> I'm interested in using Accumulo's cell-level security behind a web
>> service.  The web service would require authentication that I would like to
>> pass on to Accumulo.  This would allow Accumulo to handle the filtering of
>> requests results based on the users authorization, instead of the web
>> service having to do it.  Is this possible?
>>
>> Thanks,
>> Thorton
>>
>>
>

"When will Accumulo 1.5 be released?"

We are aiming for a feature freeze on Jan 18th.  Testing on a ".0" release
has typically run 6-8 weeks, so probably sometime in March.

-Eric

This model of authentication pass-through is used in plenty of places within
DoD. All CAC-enabled DoD webmail uses this via Kerberos delegation in active
directory for example.

 

Andrew Prout, CISSP

MIT Lincoln Laboratory

244 Wood Street, Lexington, MA 02420

Telephone: 781-981-3573

 

From: Thorton Timms [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, December 05, 2012 10:01 AM
To: [EMAIL PROTECTED]
Subject: Re: Single Sign-On with Accumulo

 

Just to clarify, the suggestions is that after a user authenticates to a web
service, that web service identifies the authorization of the user and the
web service passes credientials of the appropriate level to Accumulo.
Correct? The web service acts like a broker of authorization?

 

There are many potential uses for a cell based security database.  One use
is in securing DoD data of different security classifications (hence part of
the reason for NSA involvement in the Accumulo project).  However, I don't
think the above method of user authorization would pass DoD accredidation.
At least, it would be very difficult to get accredited.  Has the web service
authentication broker method ever been used in a system that has been
accredited?

 

When will Accumulo 1.5 be released?

 

Thanks,

Thorton

 

On Tue, Dec 4, 2012 at 8:42 AM, John Vines <[EMAIL PROTECTED]> wrote:

Accumulo 1.4 handles all of it's security internally, so you can't rely on
an external service for managing the user space. However, you can have a web
service which handles passing accumulo credentials down into the system so
you don't have to worry about the web service doing anything too elaborate.

Accumulo 1.5 is slated to have a pluggable security structure, which will
support a variety of SSO mechanisms.

John

 

On Tue, Dec 4, 2012 at 10:26 AM, Thorton Timms <[EMAIL PROTECTED]>
wrote:

Are there single sign-on options for Accumulo (like SAML or CAS or something
else)?  

I'm interested in using Accumulo's cell-level security behind a web service.
The web service would require authentication that I would like to pass on to
Accumulo.  This would allow Accumulo to handle the filtering of requests
results based on the users authorization, instead of the web service having
to do it.  Is this possible?

 

Thanks,

Thorton